The IP 66.85.141.172 is acting as a rotator. A rotator is a link to a Traffic Management System and it will point users to different destinations each time the link is requested. They might also include the name of the group spreading the malware or a campaign ID. According to the whois details the organization name is coolservers.ru.

The domain server72.helpping.uni.me is one of those free domain providers and of course they don’t have any whois information available as usual. A fake scanner called Windows Secure Kit 2011 is hosted at this IP.Read more about Malvertisement on Releaselog installs Windows Secure Kit 2011.

Cybercriminals usually rely on malvertising to achieve their malicious objectives in situations where they cannot remotely compromise a particular legitimate web site through direct hacking in the form of, for instance, remotely exploitable SQL injection attack. In this case, they socially engineer their way into a high trafficked ad network like Yahoo!’s ad platform in order to reach millions of potentially exploitable victims. Thankfully, in this campaign they’re redirecting users to a fake security software, compared to a situation where they could have been abusing their access to the ad network in order to serve client-side exploits.

Evil ad netowrks do things like this. I can't believe that actually happened and I feel I am entitled to give my opinion in order to warn other people on this. I've been using adtomatik for the last two months and got excellent results, higher fill rates and best ecpm than others ad networks.